In general, the procedure of enabling audit consists of two steps. To audit access to Active Directory, you must:
Enable the appropriate auditing policy.
Specify events to audit.
Auditing access to Active Directory objects relates to operations performed on the domain controller. Therefore, the most appropriate place to enable audit is the Default Domain Controllers Policy (or another GPO linked to the Domain Controllers OU). You may use either the Group Policy Object Editor snap-in linked to that GPO or the Domain Controller Security Policy snap-in. Select the node Computer Contiguration | Windows Settings | Security Setting | Local Policies | Audit Policy and click twice on the Audit directory service access policy (Fig. 8.7). (Default setting for all audit policies — NO auditing.) Then set the Define these policy settings flag and check the Success and/or Failure box.
Fig. 8.7: Enabling auditing events related to access to Active Directory objects
No auditing and Not defined are not the same thing. When a policy is Not defined, you can define it at any other level. If a policy is set to No auditing, it overwrites all possible settings from other levels. The group policies for the Domain Controllers OU are applied the latest and have the highest priority. Therefore, the default audit settings defined by these policies override any parameters assigned at other (lower priority) levels.
After the policy has been set, you can immediately apply it with either the secedit/refreshpolicy machine_policy or gpupdate /Target:Computer command.
For read operations, it is recommended that you audit failure events, because a large number of successful event entries can quickly overflow the Security log.
The performance of domain controllers can also suffer. For write, create/delete, and other similar operations (that are much less frequent than read operations), it is possible to audit both success and failure events.
By default, special access (successful and failed events) to all objects in a domain is audited for the Everyone group. All domain objects inherit this setting from the root domain container (Fig. 8.8). Some containers have additional audit settings. All settings include auditing for "critical" operations, such as Write, Delete, Modify, and others. (Look up the entire list.)
Fig. 8.8: The default audit settings for the Users container
You can see all audit entries in an object's Properties window: open the Security tab, click Advanced, and open the Auditing tab. Then click Edit to view or change audit parameters. If you open the Auditing tab for a non-root directory object, you will notice that all checked boxes are grayed out. This means that all parameters are inherited from the parent object. They cannot be directly modified, so you may need to address the parent or root object. If you check a free box, the system will create a new auditing entry and add it to the list for the selected object only.
Because successful events are registered by default, you might get a huge number of entries in the Event Viewer when working with auditing turned on. Therefore, you might want to change the default settings when performing an audit for an extended period of time.
You can view all information on audit events in the Security log of the Event Viewer. The source for these events is "Security", and the category is "Directory Service Access".